Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vulnerabilities Found (and Sought) In More Command-Line Tools

Posted by timothy on from the one-thing-at-a-time dept.

itwbennett writes The critical Shellshock vulnerabilities found last month in the Bash Unix shell have motivated security researchers to search for similar flaws in old, but widely used, command-line utilities. Two remote command execution vulnerabilities were patched this week in the popular wget download agent and tnftp client for Unix-like systems [also mentioned here]. This comes after a remote code execution vulnerability was found last week in a library used by strings, objdump, readelf and other command-line tools.

8 of 87 comments (clear)

  1. For all the idiots by mcrbids · · Score: 5, Insightful

    ... to the masses of sarcastic "I though Open Source was more secure!" crowd: in an Open Source forum, when vulnerabilities are found, they are patched. Since it's a public forum, the vulnerabilities are disclosed, and patches / updates made available. The poor, sorry state of the first cut gets rapidly and openly improved.

    With closed source, the vulnerabilities merely stay hidden and undisclosed, and you have no ability to know about it, or fix it yourself. the poor, sorry state of the first cut never improves. Yes, there are some cultures that take security seriously. You have no way of knowing.

    This, right here, is what "more secure" looks like: public notification of the vulnerabilities and patches to distribute.

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
    1. Re:For all the idiots by Anonymous Coward · · Score: 0, Insightful

      I'm sure glad that only open source software is the only software that ever releases security updates and hotfixes in a timely and monthly manner.

    2. Re:For all the idiots by chipschap · · Score: 4, Insightful

      Here we go again, more "proof" for the "see I told you Windows is better" crowd.

    3. Re:For all the idiots by Hydrated+Wombat · · Score: 3, Insightful

      I would interpret the AC as not being sarcastic. Updating on any open source operating system has been much, much easier and much more timely than any part of windows for me, but that's just my experience. Not to say that everything is easier in linux, but updates have always been timely, and it doesn't flip out and use all my ram. Bash auto-updated before the slashdot story hit my newsfeed.

    4. Re:For all the idiots by quantaman · · Score: 3, Insightful

      "But with Linux most contributors, be they individuals or companies, are primarily concerned with their own projects."

      Your definition of contributor is skewed. A FOSS contributor may do so in many ways. Clearly a project lead for a major project isn't going to contribute further by analyzing the ecosystem; their plate is full. There are others, also known as contributors, who do this. Other contributors administer project websites or write documentation. There is a whole wide array of types of contributors.

      That being said, clearly there are more developers than people doing security audits, and it would be nice to see more contribtors in all the other categories, actually.

      My definition of contributor didn't exclude non-coders. The point was that most contributors, except for a few individuals, are contributing with a specific goal or direction in mind. Implement feature X, support customer Y, make nicer docs, make a nicer build, etc. All of those tasks have a nice tangible outcome that is good for motivating people.

      Auditing old code for potential security vulnerabilities is hard work, it isn't fun, and it's unlikely to scratch a particular itch. Those kind of problems aren't a strength of the open source model.

      --
      I stole this Sig
  2. Re:Am I paranoid? by Anonymous Coward · · Score: 4, Insightful

    It's not like your "theory" is falsifiable, either.

  3. Re:tnftp by MrBingoBoingo · · Score: 4, Insightful

    Well the difference is... reading, and reading is nothing if not for rereading. A billion, thousand, or even three eyes mean nothing if they're aimed at cat videos. Instead of reineventing every API to keep it fresh a la the GNOME model, to get actual tools you have to instead make sure what you're already working with... works.

  4. Re:But I thought Linux was invulnerable! by jones_supa · · Score: 3, Insightful

    All the eyes ... they do nothing! Arrrrrg.

    Linus's Law worked better back in the day when the projects were smaller, but these days most people do not have the time or inclination to go through hundreds of thousands of lines of source code. You really want to be paid for that kind of work, in other words professional code audits.